KEYS(6)                                                   KEYS(6)

     NAME
          keys - secrets shared with signer

     DESCRIPTION
          The file /keydb/keys exists only on a host acting as a
          `signer' (authentication server, Certifying Authority).  It
          holds a password entry for each user registered with an
          Inferno server.  Each entry contains a user name, a pass-
          word, the time at which the entry expires, and the entry's
          status.  The password is the secret shared between the user
          and signer (authentication server), allowing the signer to
          sign a certificate to authenticate a user's public key to
          others, using the secret to check the user's identity.  The
          actual secret is not stored, but rather its SHA-1 hash.

          The file is encrypted with a secret provided by the signer's
          administrator; normally that secret is entered once when
          authentication services are started by svc/auth on the host
          acting as signer (see svc(8)). The file should also be read-
          able and writable only by the user identity that runs the
          signing service (ie, mode 600, see chmod(1)). Entries are
          usually accessed only through the name space provided by
          keyfs(4), which decrypts the file into internal data struc-
          tures given the administrative key, and makes each entry
          visible as a separate directory.  Using that name space,
          entries are added and updated by an administrator using
          changelogin(8), a user can change a secret using passwd(1)
          via keysrv(4), and it is accessed for signing by logind(8)
          to obtain the secret used to verify the identity of a client
          requesting a certificate (typically via security-login(2)).

     FILES
          /keydb/keys

     Page 1                       Plan 9            (printed 12/23/24)